diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 5b94355..2637f04 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -253,6 +253,50 @@ save_snapshot() {
     ls -t "$SNAPSHOT_DIR"/snapshot_*.dat 2>/dev/null | tail -n +11 | xargs rm -f 2>/dev/null
 }
 
+# BUG FIX #17: Load persistent threat data at startup to block pre-existing high-score IPs
+load_snapshot() {
+    # Restore IP_DATA from last saved snapshot (enables blocking of known threats on startup)
+    local snapshot_file="$SNAPSHOT_DIR/latest_snapshot.dat"
+
+    # Restore is optional (no snapshot on first run)
+    if [ ! -f "$snapshot_file" ]; then
+        return 0
+    fi
+
+    while IFS='=' read -r key value; do
+        [ -z "$key" ] && continue
+
+        case "$key" in
+            IP_DATA\[*)
+                # Extract IP from IP_DATA[IP] format
+                local ip="${key#IP_DATA[}"
+                ip="${ip%]}"
+
+                # Only restore if score >= 50 (filter out noise, keep threats)
+                # Format: score|hits|bot_type|attacks|ban_count|rep_score
+                IFS='|' read -r score _ _ _ _ _ <<< "$value"
+
+                # Restore high-threat IPs (score >= 50 for persistence across restarts)
+                if [ "${score:-0}" -ge 50 ]; then
+                    IP_DATA[$ip]="$value"
+                fi
+                ;;
+            ATTACK_TYPE_COUNTER\[*)
+                # Extract attack type from ATTACK_TYPE_COUNTER[TYPE] format
+                local attack="${key#ATTACK_TYPE_COUNTER[}"
+                attack="${attack%]}"
+                ATTACK_TYPE_COUNTER[$attack]="$value"
+                ;;
+            TOTAL_THREATS)
+                TOTAL_THREATS="$value"
+                ;;
+            TOTAL_BLOCKS)
+                TOTAL_BLOCKS="$value"
+                ;;
+        esac
+    done < "$snapshot_file"
+}
+
 # Statistics counters
 declare -A IP_DATA  # Stores: IP -> score|hits|bot_type|attacks|ban_count|rep_score
 declare -A IP_TIMESTAMPS  # Stores: IP -> comma-separated attack timestamps (last 100)
@@ -3680,6 +3724,21 @@ if [ -n "$IPSET_INIT_ERROR" ]; then
     sleep 3  # Give user time to read
 fi
 
+# BUG FIX #17: Load persistent threat data BEFORE starting auto_mitigation_engine
+# This ensures pre-existing high-score IPs (Score >= 50) are blocked on startup
+load_snapshot
+
+# Immediately write loaded IP_DATA to ip_data file for auto_mitigation_engine to process
+if [ ${#IP_DATA[@]} -gt 0 ]; then
+    {
+        flock -w 2 200 || exit 1
+        for ip in "${!IP_DATA[@]}"; do
+            echo "$ip=${IP_DATA[$ip]}"
+        done
+    } > "$TEMP_DIR/ip_data" 2>/dev/null 200>"$TEMP_DIR/ip_data.lock"
+    echo "[INFO] Restored ${#IP_DATA[@]} threat IPs from persistent storage (Score >= 50)" >&2
+fi
+
 # Start intelligence engines
 detect_distributed_attacks
 auto_mitigation_engine